verzia 2.117, 2018/08/23 04:34:58 |
verzia 2.122, 2020/09/17 18:58:29 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.116 2018/06/28 23:13:42 nepto Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.121 2019/10/08 22:25:30 nepto Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
Riadok 269 unload_modules() |
|
Riadok 269 unload_modules() |
|
print_iface_status() |
print_iface_status() |
{ # {{{ |
{ # {{{ |
# Print interfaces: |
# Print interfaces: |
print_info "$(pad7 "# iface") | $(pad15 "IP address") | $(pad15 "Gateway") | $(pad15 "Broadcast") | $(pad15 "Netmask") | HW address"; |
print_info "$(pad15 "# iface") | $(pad15 "IP address") | $(pad15 "Gateway") | $(pad15 "Broadcast") | $(pad15 "Netmask") | HW address"; |
for iface in $interfaces; do |
for iface in $interfaces; do |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for IP in ${!IPS}; do |
for IP in ${!IPS}; do |
Riadok 277 print_iface_status() |
|
Riadok 277 print_iface_status() |
|
Bcast="Bcast_$iface"; |
Bcast="Bcast_$iface"; |
Mask="Mask_$iface"; |
Mask="Mask_$iface"; |
HWaddr="HWaddr_$iface"; |
HWaddr="HWaddr_$iface"; |
print_info "$(pad7 $iface) | $(pad15 ${IP}) | $(pad15 ${!Gateway}) | $(pad15 ${!Bcast}) | $(pad15 ${!Mask}) | ${!HWaddr}"; |
print_info "$(pad15 $iface) | $(pad15 ${IP}) | $(pad15 ${!Gateway}) | $(pad15 ${!Bcast}) | $(pad15 ${!Mask}) | ${!HWaddr}"; |
done |
done |
done |
done |
} # }}} |
} # }}} |
|
|
return; |
return; |
fi |
fi |
|
|
print_info -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" |
print_info -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE -> $NAT_LAN_IFACE" |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
if [ "X$XEN_MODE" = "Xon" ]; then |
if [ -n "$NAT_SUBNET_SRC" ]; then |
if [ -n "$NAT_SUBNET_SRC" ]; then |
Riadok 763 do_ban_single_ip() |
|
Riadok 763 do_ban_single_ip() |
|
return; |
return; |
fi |
fi |
for banned_ip in $*; do |
for banned_ip in $*; do |
$IPTABLES -A INPUT -s $banned_ip -j DROP; |
# This does immediate connection termination, but it must be inserted |
if [ "X$XEN_MODE" = "Xon" ]; then |
# and thus not appended into chain, otherwise connection will still |
print_info -ne " XEN_MODE "; |
# remain alive. Former forward chain rule was removed as unneccessary. |
else |
# -- Nepto [2018-08-23] |
# This does immediate connection termination, but it must be |
# -- Plantroon [2018-12-10] |
# inserted (not appended) into chain, otherwise connection |
$IPTABLES -I INPUT -s $banned_ip -j DROP; |
# will still remain alive -- Nepto [2018-08-23] |
|
$IPTABLES -I FORWARD -s $banned_ip -j DROP; |
|
fi |
|
done |
done |
} # }}} |
} # }}} |
|
|
Riadok 819 allow_accept_all() |
|
Riadok 816 allow_accept_all() |
|
fi |
fi |
} # }}} |
} # }}} |
|
|
|
allow_accept_vrrp() |
|
{ # {{{ |
|
if [ ! -z "$IFACE_ACCEPT_VRRP" ]; then |
|
print_info -en "Accepting VRRP packets on interfaces:" |
|
for iface in $IFACE_ACCEPT_VRRP; do |
|
print_info -en " $iface" |
|
$IPTABLES -A INPUT -i $iface -d 224.0.0.18/32 -p vrrp -j ACCEPT; |
|
$IPTABLES -A OUTPUT -o $iface -d 224.0.0.18/32 -p vrrp -j ACCEPT; |
|
done |
|
print_info " done." |
|
fi |
|
} # }}} |
|
|
drop_input() |
drop_input() |
{ # {{{ |
{ # {{{ |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
Riadok 1748 my (%ip, %ifname, %ip6, %scope6, %bcast, |
|
Riadok 1758 my (%ip, %ifname, %ip6, %scope6, %bcast, |
|
|
|
while (my $line = <STDIN>) { |
while (my $line = <STDIN>) { |
chomp $line; |
chomp $line; |
if ($line =~ m/^([a-z0-9:]+)\s+.*?([a-z0-9:]+)\s*$/i) { # Linux interface |
if ($line =~ m/^([a-z0-9:-]+)\s+.*?([a-z0-9:]+)\s*$/i) { # Linux interface |
$iface = $1; |
$iface = $1; |
my $iface_hwaddr = $2; |
my $iface_hwaddr = $2; |
my $x_iface = $iface; |
my $x_iface = $iface; |
$iface =~ s/:$//g; |
$iface =~ s/:$//g; |
$iface =~ s/:/_/g; # convert "eth0:0" --> "eth0_0" |
$iface =~ s/:/_/g; # convert "eth0:0" -> "eth0_0" |
$x_iface = [ $x_iface =~ m/^([a-z0-9]+)/i ]->[0]; # convert "eth0:0" --> "eth0" |
$iface =~ s/-/_/g; # convert "br-a97b1d2fbcc4" -> "br_a97b1d2fbcc4" (Docker) |
|
$x_iface = [ $x_iface =~ m/^([a-z0-9]+)/i ]->[0]; # convert "eth0:0" -> "eth0" |
$ifname{$iface} = $x_iface; |
$ifname{$iface} = $x_iface; |
$ipcount{$iface}++; |
$ipcount{$iface}++; |
$hwaddr{$iface} = $iface_hwaddr; |
$hwaddr{$iface} = $iface_hwaddr; |
Riadok 1805 printf "interfaces=\"%s\"; export inter |
|
Riadok 1816 printf "interfaces=\"%s\"; export inter |
|
my @vals = split(/\s+/, $line); |
my @vals = split(/\s+/, $line); |
foreach my $key (@columns) { |
foreach my $key (@columns) { |
$iface->{$key} = shift @vals; |
$iface->{$key} = shift @vals; |
|
if ($key eq "Iface") { |
|
# convert "br-a97b1d2fbcc4" -> "br_a97b1d2fbcc4" (Docker) |
|
$iface->{$key} =~ s/-/_/g; |
|
} |
} |
} |
|
|
foreach my $key (qw( Gateway Destination )) { |
foreach my $key (qw( Gateway Destination )) { |
|
|
# |
# |
# (un)commnet next lines as needed |
# (un)commnet next lines as needed |
# |
# |
bann_ip_adresses |
|
allow_accept_all |
allow_accept_all |
|
allow_accept_vrrp |
nmap_scan_filter |
nmap_scan_filter |
invalid_packet_filter |
invalid_packet_filter |
anti_spoof_filter |
anti_spoof_filter |
|
|
shaping_on |
shaping_on |
configure_special_rules |
configure_special_rules |
custom_rules |
custom_rules |
|
bann_ip_adresses |
$IPTABLES_SAVE -c > $CACHE_FILE |
$IPTABLES_SAVE -c > $CACHE_FILE |
;; |
;; |
|
|